The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.

This requires filesystem data to determine whether files have been created.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
OS Credential Dumping LSASS Memory Credential Access Low

Data Model References

Object Action Field
file create file_name
file create image_path

Implementations

Procdump - File Create (Pseudocode)

This base pseudocode looks for file create events where a file with a name similar to lsass.dmp is created by the Windows task manager process.

files = search File:Create
lsass_dump = filter files where (
  file_name = "lsass*.dmp"  and
  image_path = "C:\Windows\*\taskmgr.exe")
output lsass_dump

Procdump - File Create (Splunk, Sysmon native)

A Splunk/Sysmon version of the above pseudocode.

index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"

Procdump - File Create (Eql, EQL native)

An EQL version of the above pseudocode.

file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"

Unit Tests

Test Case 1

  1. Open Windows Task Manager as Administrator
  2. Select lsass.exe
  3. Right-click on lsass.exe and select “Create dump file”.

True Positives

Mordor (sysmon)

Sysmon event from the Mordor Interactive Task Manager lsass dump dataset.

Full Event
Event Snippet
{
	"@event_date_creation": "2019-10-27T05:45:39.851Z",
	"@file_date_creation": "2019-10-27T05:45:39.851Z",
	"@timestamp": "2019-10-27T05:45:39.858Z",
	"@version": "1",
	"action": "filecreate",
	"event_id": 11,
	"file_name": "c:\\\\users\\\\pgustavo\\\\appdata\\\\local\\\\temp\\\\lsass.dmp",
	"host_name": "it001.shire.com",
	"level": "information",
	"log_ingest_timestamp": "2019-10-27T05:45:39.858Z",
	"log_name": "Microsoft-Windows-Sysmon/Operational",
	"meta_user_reporter_name_is_machine": "false",
	"opcode": "Info",
	"process_guid": "a158f72c-2ef4-5db5-0000-00100fb48f00",
	"process_id": "2408",
	"process_name": "taskmgr.exe",
	"process_path": "c:\\\\windows\\\\system32\\\\taskmgr.exe",
	"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
	"record_number": 258042,
	"source_name": "Microsoft-Windows-Sysmon",
	"task": "File created (rule: FileCreate)",
	"thread_id": 3760,
	"type": "wineventlog",
	"user_reporter_domain": "NT AUTHORITY",
	"user_reporter_name": "SYSTEM",
	"user_reporter_sid": "S-1-5-18",
	"user_reporter_type": "User",
	"version": 2
}